Managing a project to create a secure application takes the right combination of activities, teams, and supporting technology. This engaging course leads you through a set of proven, practical activities that result in demonstrable security.

Managing a project to create a secure application takes the right combination of activities, teams, and supporting technology. This engaging course leads you through a set of proven, practical activities that result in demonstrable security.

−

'''Instructor: Dave Wichers:''' Aspect's instructors are professional software developers who have dedicated their career to application security. Our instructors spend the majority of their time working with clients to secure critical web applications using a wide variety of web application technology. This practical experience allows our instructors to have interesting discussions about real-world problems that drive home the lessons being taught.

+

'''Instructor: John Pavone:''' Aspect's instructors are professional software developers who have dedicated their career to application security. Our instructors spend the majority of their time working with clients to secure critical web applications using a wide variety of web application technology. This practical experience allows our instructors to have interesting discussions about real-world problems that drive home the lessons being taught.

==== Venue ====

==== Venue ====

Revision as of 12:55, 8 October 2009

Welcome

We are pleased to announce that the OWASP DC chapter will host the OWASP AppSec 2009 conference in Washington, DC. The AppSec DC OWASP Conference will be a premier gathering of Information Security leaders. Executives from Fortune 500 firms along with technical thought leaders such as security architects and lead developers will be traveling to hear the cutting-edge ideas presented by Information Security’s top talent. OWASP events attract a worldwide audience interested in “what’s next”. The conference is expected to draw 600-700 technologists from Government, Financial Services, Media, Pharmaceuticals, Healthcare, Technology, and many other verticals.

Schedule

Training

There are a total of five classrooms over two days or 10 training days available at the conference. Two classrooms hold 30 students and the other three have a capacity of 24 students. The cost for two day training is $1350 USD and the cost for one day training is $650 USD.

2 Day Training: November 10 and November 11

Assessing and Exploiting Web Applications with the open source Samurai Web Testing Framework

This course will focus on using open source tools to perform web application assessments. The course will take attendees through the process of application assessment using the open source tools included in the Samurai Web Testing Framework Live CD (Samurai-WTF). Day one will take students through the steps and open source tools used to assess applications for vulnerabilities. Day two will focus on the exploitation of web app vulnerabilities, spending half the day on server side attacks and the other half of the day on client side attacks. The latest tools and techniques will be use throughout the course, including several tools developed by the trainers themselves.

Instructor: Justin Searle: Justin Searle, a Senior Security Analyst with InGuardians, specializes in penetration testing and security architecture. Previously, Justin served as JetBlue Airway’s IT Security Architect and has provided top-tier support for the largest supercomputers in the world. In his rapidly dwindling spare time, Justin co-leads prominent open source projects including The Middler, Samurai Web Testing Framework, BASE, and the social networking pentest tools: Yokoso! and Laudnum.

Java EE Secure Code Review

The gut of any application lies in its source code. With the ever-emerging landscape of threats and attack vectors facing today’s applications, the need for secure source code has never been greater. In this course, students will be working with actual web application source code samples and discover how to pinpoint weaknesses, identify common security flaws, and discuss corrective coding controls. Major application security domains will be covered, including common authentication and access control coding errors, session management vulnerabilities, identifying injection flaws, and more. For anyone looking to learn how to identify common security weaknesses in a code base, this course is a must.

Instructor: Sahba Kazerooni: Sahba Kazerooni is Practice Lead of Software Security Services. He has a strong background in Java EE architecture and development. At Security Compass, Sahba leads the Software Security Services practice which performs penetration testing, source code review, and Threat Modeling of client applications. He also plays a critical role in the development of curriculum for and delivery of Security Compass training services. He has developed and taught courses on various topics such as Secure Coding in Java EE, Exploiting and Defending Web Applications, and Application Security Awareness. Mr. Kazerooni is also an internationally-renowned speaker on security topics. He has presented at conferences around the world including BlackHat Security Conference in Amsterdam, Security Opus in San Francisco, and IDC WebSec in Mexico City. Sahba delivers Java secure coding training at the SANS Institute, the largest source for information security training and certification, and has also provided numerous presentations through ISC2 to their elite network of certified information security professionals.

1 Day Training November 10

Threat Modeling Express The benefits of threat modeling at the design stage are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling .

In this class, students learn how to create a “quick and dirty” application threat model using an organization’s most valuable resource: its people. Students learn about the basics of web application security, as well as learn about and perform a real hands-on Express Threat Model. A deliverable template and list of steps will be provided as takeaways for students.

Instructor: Krishna Raja: Krishna Raja is an Application Security Consultant with an extensive background in J2EE application development. He has performed comprehensive security assessments for various clients, which involves threat analysis, source code inspection and runtime penetration testing.

Mr. Raja has also been instrumental in the development and delivery of Security Compass’ training curriculum. He has developed and taught courses in Exploiting and Defending Web Applications, Application Security Awareness and Advanced Application Attacks to architects, project managers and developers across Canada and the United States. Krishna is an emerging speaker at information security conferences, and last year spoke at Source Boston 2008 and ISSA Secure SD Symposium.

This highly practical, interactive course will focus on secure coding techniques and methodologies that can be immediately applied in your applications. The class uses real-world examples, walking through real code samples, using live, feature-rich applications, and showing how to hunt down, debug, and mitigate these flaws through better coding practices.

Instructor: Whitehat

1 Day Training November 11

WebAppSec.php: Developing Secure Web Applications

Web applications are the new frontier of wide‐spread security breaches. This tutorial will guide through development practices to ensure the security and integrity of web applications, in turn protecting user data and the infrastructure the application runs on. Several attack types will be reviewed, along with how the proper development practices can mitigate their damage. Although the tutorial targets the security of PHP‐based applications, much of the content is applicable to other programming languages as well.

Instructor: Robert Zakon: Robert Zakon is a technology consultant and developer who has been programming web applications since the Web's infancy, over 15 years ago. In addition to developing web applications for web sites receiving millions of daily hits, he works with organizations in an interim CTO capacity, and advises corporations, non‐profits and government agencies on technology, information, and security architectures and infrastructures. He has presented at numerous conferences and taught a handful of courses and tutorials. Robert is a former Principal Engineer with MITRE's Information Security Center, CTO of an Internet consumer portal and application service provider, and Director of a university research lab. He is a Senior Member of the IEEE, and holds BS & MS degrees from Case Western Reserve University in Computer Engineering & Science with concentrations in Philosophy & Psychology. His interests are diverse and can be explored at www.Zakon.org where a full vitae is available.

Applying the OWASP Testing Guide with the OWASP Live CD

The OWASP Live CD provides the necessary tools to test web applications. The OWASP Testing Guide provides a testing framework. You're testing web applications currently, now what? Time to take your testing to the next level. This class will offer information on how to use the OWASP Live CD tools together for greater accuracy and speed, how to feed the results of one tool into another, and how to automate the more tedious aspects of web application testing. The training is focused not on what or how to test, but how to get more out of the testing time you have. Lets face it, testing time frames are always shorter then they should be, so how can you squeeze the most into the engagement time you have. After attending this training, you'll have some tricks in your bag to optimize your testing.

Instructor: Matt Tesauro:

Leader and Manager Training - Leading the Development of Secure Applications

Managing a project to create a secure application takes the right combination of activities, teams, and supporting technology. This engaging course leads you through a set of proven, practical activities that result in demonstrable security.

Instructor: John Pavone: Aspect's instructors are professional software developers who have dedicated their career to application security. Our instructors spend the majority of their time working with clients to secure critical web applications using a wide variety of web application technology. This practical experience allows our instructors to have interesting discussions about real-world problems that drive home the lessons being taught.